UNIT – I: Introduction to Cyber Security: Basic Cyber Security Concepts, layers of security, Vulnerability, threat, Harmful acts, the

motive of attackers, active attacks, passive attacks, Software attacks, hardware attacks, Spectrum of attacks, Taxonomy of various
attacks, IP spoofing, Methods of defense, Security Models, risk management, Cyber Threats-Cyber Warfare, Cyber Crime, Cyber
terrorism, Cyber Espionage, etc., CIA Triad

Introduction to Cyber Security

Cybersecurity is the protection of internet-connected systems such as hardware, software and data from cyberthreats. The practice is used by
individuals and enterprises to protect against unauthorized access to data centers and other computerized systems.

Basic Cyber Security Concepts

A strong cybersecurity strategy can provide a good security posture against malicious attacks designed to access, alter, delete, destroy or
extort an organization's or user's systems and sensitive data. Cybersecurity is also instrumental in preventing attacks that aim to disable or
disrupt a system's or device's operations.

Why is cybersecurity important?

With an increasing number of users, devices and programs in the modern enterprise, combined with the increased deluge of data -- much of
which is sensitive or confidential -- the importance of cybersecurity continues to grow. The growing volume and sophistication of cyber
attackers and attack techniques compound the problem even further.

What are the elements of cybersecurity and how does it work?

The cybersecurity field can be broken down into several different sections, the coordination of which within the organization is crucial to the
success of a cybersecurity program. These sections include the following:

 Application security

 Information or data security

 Network security

 Disaster recovery/business continuity planning

 Operational security

 Cloud security

 Critical infrastructure security

 Physical security

 End-user education

Maintaining cybersecurity in a constantly evolving threat landscape is a challenge for all organizations. Traditional reactive approaches, in
which resources were put toward protecting systems against the biggest known threats, while lesser known threats were undefended, is no
longer a sufficient tactic. To keep up with changing security risks, a more proactive and adaptive approach is necessary. Several key cyber
security advisory organizations offer guidance. For example, the National Institute of Standards and Technology (NIST) recommend
adopting continuous monitoring and real-time assessments as part of a risk assessment framework to defend against known and unknown
threats.

What are the benefits of cyber security?

The benefits of implementing and maintaining cyber security practices include:

 Business protection against cyber-attacks and data breaches.

 Protection for data and networks.

 Prevention of unauthorized user access.

 Improved recovery time after a breach.

 Protection for end users and endpoint devices.

 Regulatory compliance.

 Business continuity.

 Improved confidence in the company's reputation and trust for developers, partners, customers, stakeholders and employees.

Layers of security

In a world increasingly dominated by the digital realm, the invisible armor of cyber security is what stands between us and a host of cyber
threats poised to exploit our every move. This article is your gateway to understanding the multifaceted world of cyber security, dissecting
the 7 pivotal layers that form the bulwark against the ever-evolving landscape of cyber threats. Each layer is a beacon in the storm of digital
vulnerability, offering unique protection mechanisms to shield your precious digital territories.

1. Human Layer:

The human layer, often regarded as the most vulnerable layer, focuses on the human element within an organization. It involves
implementing practices and policies that ensure that employees, contractors, and other users do not fall victim to phishing attacks and other
security threats due to human error or lack of knowledge.
Examples of human layer security measures include security awareness training, strong password policies, and multi-factor authentication,
ensuring that users can identify and respond appropriately to security threats.

2. Perimeter Security Layer:

Perimeter security layer is akin to the walls of a fortress. It serves to protect the network by controlling incoming and outgoing network
traffic based on an organization's previously established security policies. At its core, it involves implementing firewalls, intrusion detection
systems (IDS), intrusion prevention systems (IPS), and VPNs to create a barrier between your secure internal network and untrusted external
networks such as the internet.

An example of how this works is a firewall that filters incoming traffic to allow or block packets based on the organization’s security
policies, thus preventing unauthorized access to networked resources.

3. Network Layer:

The network layer is crucial in managing and protecting the communication between applications and devices on your network. This layer
employs various security measures and controls to prevent attackers from intercepting and tampering with information as it travels over the
network. Examples of network layer security include the use of secure protocols like HTTPS, employing network segmentation to separate
sensitive parts of the network from less sensitive ones, and implementing security solutions like anti-malware and antivirus software to
monitor and analyze network traffic for malicious activity and unauthorized access.

The network layer is pivotal in the cyber security landscape as it serves as the communication bridge connecting various components within
a network, facilitating data transfer between them. It holds immense importance because it is inundated with a multitude of information
exchanges, making it a lucrative target for cyber adversaries aiming to intercept, modify, or disrupt the data flow. By securing the network
layer through strategies like encryption, secure protocols, and robust network architectures, organizations can ensure the integrity,
availability, and confidentiality of the transmitted information, thereby protecting against unauthorized access and potential cyber-attacks,
and maintaining seamless and secure organizational operations.

4. Application Security Layer:

This layer focuses on keeping software and devices free of threats. Secure coding practices are vital here, as vulnerabilities in the application
can serve as entry points for cyber threats. Examples of application security measures include regular security scanning and testing to
identify and remedy vulnerabilities and employing application security solutions like Web Application Firewalls (WAFs) to protect against
threats such as SQL injection (a code injection technique that might destroy your database) and Cross-Site Scripting (XSS)( an attack in
which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack
by sending a malicious link to a user and enticing the user to click it).

5. Endpoint Security Layer:

The endpoint security layer concentrates on safeguarding the individual devices that connect to the network, like computers, smartphones,
and tablets. Since these endpoints serve as access points to the network, securing them is crucial. An example of endpoint security is
employing antivirus programs and endpoint detection and response (EDR) solutions to monitor, detect, and block malicious activities and
threats on endpoints, ensuring that even if a device is compromised, the threat does not propagate through the network.

6. Data Security Layer:

This layer is dedicated to protecting the data residing in the network, focusing on maintaining its confidentiality, integrity, and availability.
Encryption is a prime example of a data security measure, where sensitive data is converted into a coded format to prevent unauthorized
access. Another example is employing backup solutions and establishing robust access controls to safeguard data from loss, exposure, and
unauthorized access, ensuring only authorized personnel can access sensitive information.

7. Mission-Critical Assets:

This layer focuses on safeguarding assets that are crucial to an organization's operations and business continuity. These could include
proprietary software, sensitive customer data, or essential hardware. Protection strategies here involve implementing layered defenses like
firewalls, intrusion detection and prevention systems, and robust access controls. For instance, regularly updating and patching mission-
critical applications ensures that vulnerabilities are addressed, minimizing the risk of exploitation and ensuring the uninterrupted
functionality of essential assets.

What are vulnerabilities, and how are they exploited?

Vulnerability is a weakness in an IT system that can be exploited by an attacker to deliver a successful attack. They can occur through flaws,
features or user error, and attackers will look to exploit any of them, often combining one or more, to achieve their end goal.
Flaws

A flaw is unintended functionality. This may either be a result of poor design or through mistakes made during implementation. Flaws may
go undetected for a significant period of time. The majority of common attacks we see today exploit these types of vulnerabilities. Between
2014 and 2015, nearly 8,000 unique and verified software vulnerabilities were disclosed in the US National Vulnerability Database (NVD).

Vulnerabilities are actively pursued and exploited by the full range of attackers. Consequently, a market has grown in software flaws, with
‘zero-day’ vulnerabilities (that is recently discovered vulnerabilities that are not yet publically known) fetching hundreds of thousands of
pounds

Zero-day vulnerabilities

Zero-days are frequently used in bespoke attacks by the more capable and resourced attackers. Once the zero-days become publically
known, reusable attacks are developed and they quickly become a commodity capability. This poses a risk to any computer or system that
has not had the relevant patch applied, or updated its antivirus software. The ability for an attacker to find and attack software flaws or
subvert features depends on the nature of the software and their technical capabilities. Some target platforms are relatively simple to access,
for example web applications could, by design, be capable of interacting with the Internet and may provide an opportunity for an attacker.

A zero-day vulnerability is a flaw in a piece of software that is unknown to the programmer(s) or vendor(s) responsible for the
application(s). Because the vulnerability isn’t known, there is no patch available.

In other words, the vulnerability has been discovered by someone who isn’t directly involved with a project. The term zero day refers to the
days between the time the vulnerability was discovered and the first attack against it. After a zero-day vulnerability has been made public, it
is then referred to as an n-day vulnerability.

Here’s how the zero day timeline works:

1. A person or company creates a piece of software that includes a vulnerability, but is unknown to those involved with programming or
distribution.
2. Someone (outside of those responsible for the software) discovers the vulnerability before a developer has a chance to locate or fix the
problem.
3. The person who discovers the vulnerability creates malicious code to exploit the vulnerability.
4. The exploit is released.
5. Those responsible are informed of the exploit and patch their software.
6. The vulnerability is no longer considered a zero day.
7. The patch is released.

Most often, exploits against zero-day vulnerability are a very rarely discovered right away. It can often take days or months before these
flaws are found which is what makes these types of vulnerabilities so dangerous.

Features

A feature is intended functionality which can be misused by an attacker to breach a system. Features may improve the user’s experience,
help diagnose problems or improve management, but they can also be exploited by an attacker.

When Microsoft introduced macros into their Office suite in the late 1990s, macros soon became the vulnerability of choice with the Melissa
worm in 1999 being a prime example. Macros are still exploited today; the Dridex banking Trojan that was spreading in late 2014 relies on
spam to deliver Microsoft Word documents containing malicious macro code, which then downloads Dridex onto the affected system.

JavaScript, widely used in dynamic web content, continues to be used by attackers. This includes diverting the user’s browser to a malicious
website and silently downloading malware, and hiding malicious code to pass through basic web filtering.

User error

A computer or system that has been carefully designed and implemented can minimize the vulnerabilities of exposure to the Internet.
Unfortunately, such efforts can be easily undone (for example by an inexperienced system administrator who enables vulnerable features,
fails to fix a known flaw, or leaves default passwords unchanged).

More generally, users can be a significant source of vulnerabilities. They make mistakes, such as choosing a common or easily guessed
password, or leave their laptop or mobile phone unattended. Even the most cyber aware users can be fooled into giving away their password,
installing malware, or divulging information that may be OFFICIAL useful to an attacker (such as who holds a particular role within an
organization, and their schedule). These details would allow an attacker to target and time an attack appropriately.

Cybersecurity Threats

What are Cybersecurity Threats?

Cybersecurity threats are acts performed by individuals with harmful intent, whose goal is to steal data, cause damage to or disrupt
computing systems. Common categories of cyber threats include malware, social engineering, man in the middle (MitM) attacks, denial of
service (DoS), and injection attacks—we describe each of these categories in more detail below.

Cyber threats can originate from a variety of sources, from hostile nation states and terrorist groups, to individual hackers, to trusted
individuals like employees or contractors, who abuse their privileges to perform malicious acts.

Common Sources of Cyber Threats

Here are several common sources of cyber threats against organizations:

 Nation states—hostile countries can launch cyber attacks against local companies and institutions, aiming to interfere with
communications, cause disorder, and inflict damage.

 Terrorist organizations—terrorists conduct cyber attacks aimed at destroying or abusing critical infrastructure, threaten national
security, disrupt economies, and cause bodily harm to citizens.

 Criminal groups—organized groups of hackers aim to break into computing systems for economic benefit. These groups use
phishing, spam, spyware and malware for extortion, theft of private information, and online scams.

 Hackers—individual hackers target organizations using a variety of attack techniques. They are usually motivated by personal
gain, revenge, financial gain, or political activity. Hackers often develop new threats, to advance their criminal ability and
improve their personal standing in the hacker community.

 Malicious insiders—an employee who has legitimate access to company assets, and abuses their privileges to steal information
or damage computing systems for economic or personal gain. Insiders may be employees, contractors, suppliers, or partners of
the target organization. They can also be outsiders who have compromised a privileged account and are impersonating its owner.

Types of Cybersecurity Threats

Malware Attacks

Malware is an abbreviation of “malicious software”, which includes viruses, worms, Trojans, spyware, and ransomware, and is the most
common type of cyberattack. Malware infiltrates a system, usually via a link on an untrusted website or email or an unwanted software
download. It deploys on the target system, collects sensitive data, manipulates and blocks access to network components, and may destroy
data or shut down the system altogether.

Here are some of the main types of malware attacks:

 Viruses—a piece of code injects itself into an application. When the application runs, the malicious code executes.

 Worms—malware that exploits software vulnerabilities and backdoors to gain access to an operating system. Once installed in
the network, the worm can carry out attacks such as distributed denial of service (DDoS).

 Trojans—malicious code or software that poses as an innocent program, hiding in apps, games or email attachments. An
unsuspecting user downloads the trojan, allowing it to gain control of their device.

 Ransomware—a user or organization is denied access to their own systems or data via encryption. The attacker typically
demands a ransom be paid in exchange for a decryption key to restore access, but there is no guarantee that paying the ransom
will actually restore full access or functionality.

 Cryptojacking—attackers deploy software on a victim’s device, and begin using their computing resources to generate
cryptocurrency, without their knowledge. Affected systems can become slow and cryptojacking kits can affect system stability.

 Spyware—a malicious actor gains access to an unsuspecting user’s data, including sensitive information such as passwords and
payment details. Spyware can affect desktop browsers, mobile phones and desktop applications.

 Adware—a user’s browsing activity is tracked to determine behavior patterns and interests, allowing advertisers to send the user
targeted advertising. Adware is related to spyware but does not involve installing software on the user’s device and is not
necessarily used for malicious purposes, but it can be used without the user’s consent and compromise their privacy.

 Fileless malware—no software is installed on the operating system. Native files like WMI (Windows Management
Instrumentation is a set of specifications from Microsoft for consolidating the management of devices and applications in a
network from Windows computing systems. WMI provides users with information about the status of local or remote computer
systems.)and PowerShell are edited to enable malicious functions. This stealthy form of attack is difficult to detect (antivirus
can’t identify it), because the compromised files are recognized as legitimate.

 Rootkits—software is injected into applications, firmware, operating system kernels or hypervisors, providing remote
administrative access to a computer. The attacker can start the operating system within a compromised environment, gain
complete control of the computer and deliver additional malware.

Social Engineering Attacks

Social engineering involves tricking users into providing an entry point for malware. The victim provides sensitive information or
unwillingly installs malware on their device, because the attacker poses as a legitimate actor.

Here are some of the main types of social engineering attacks:

 Baiting—the attacker lures a user into a social engineering trap, usually with a promise of something attractive like a free gift
card. The victim provides sensitive information such as credentials to the attacker.

 Pretexting—similar to baiting, the attacker pressures the target into giving up information under false pretenses. This typically
involves impersonating someone with authority, for example an IRS or police officer, whose position will compel the victim to
comply.

 Phishing—the attacker sends emails pretending to come from a trusted source. Phishing often involves sending fraudulent
emails to as many users as possible, but can also be more targeted. For example, “spear phishing” personalizes the email to target
a specific user, while “whaling” takes this a step further by targeting high-value individuals such as CEOs.

 Vishing (voice phishing)—the imposter uses the phone to trick the target into disclosing sensitive data or grant access to the
target system. Vishing typically targets older individuals but can be employed against anyone.

 Smishing (SMS phishing)—the attacker uses text messages as the means of deceiving the victim.

 Piggybacking—an authorized user provides physical access to another individual who “piggybacks” off the user’s credentials.
For example, an employee may grant access to someone posing as a new employee who misplaced their credential card.

 Tailgating—an unauthorized individual follows an authorized user into a location, for example by quickly slipping in through a
protected door after the authorized user has opened it. This technique is similar to piggybacking except that the person being
tailgated is unaware that they are being used by another individual.

Supply Chain Attacks

Supply chain attacks are a new type of threat to software developers and vendors. Its purpose is to infect legitimate applications and
distribute malware via source code, build processes or software update mechanisms.

Attackers are looking for non-secure network protocols, server infrastructure, and coding techniques, and use them to compromise build and
update process, modify source code and hide malicious content.

Supply chain attacks are especially severe because the applications being compromised by attackers are signed and certified by trusted
vendors. In a software supply chain attack, the software vendor is not aware that its applications or updates are infected with malware.
Malicious code runs with the same trust and privileges as the compromised application.

Types of supply chain attacks include:

 Compromise of build tools or development pipelines

 Compromise of code signing procedures or developer accounts

 Malicious code sent as automated updates to hardware or firmware components

 Malicious code pre-installed on physical devices

Man-in-the-Middle Attack

A Man-in-the-Middle (MitM) attack involves intercepting the communication between two endpoints, such as a user and an application. The
attacker can eavesdrop on the communication, steal sensitive data, and impersonate each party participating in the communication.

Examples of MitM attacks include:

 Wi-Fi eavesdropping—an attacker sets up a Wi-Fi connection, posing as a legitimate actor, such as a business, that users may
connect to. The fraudulent Wi-Fi allows the attacker to monitor the activity of connected users and intercept data such as
payment card details and login credentials.

 Email hijacking—an attacker spoofs the email address of a legitimate organization, such as a bank, and uses it to trick users into
giving up sensitive information or transferring money to the attacker. The user follows instructions they think come from the
bank but are actually from the attacker.

 DNS spoofing—a Domain Name Server (DNS) is spoofed, directing a user to a malicious website posing as a legitimate site.
The attacker may divert traffic from the legitimate site or steal the user’s credentials.

 IP spoofing—an internet protocol (IP) address connects users to a specific website. An attacker can spoof an IP address to pose
as a website and deceive users into thinking they are interacting with that website.
  HTTPS spoofing—HTTPS is generally considered the more secure version of HTTP, but can also be used to trick the browser
into thinking that a malicious website is safe. The attacker uses “HTTPS” in the URL to conceal the malicious nature of the
website.

Denial-of-Service Attack

A Denial-of-Service (DoS) attack overloads the target system with a large volume of traffic, hindering the ability of the system to function
normally. An attack involving multiple devices is known as a distributed denial-of-service (DDoS) attack.

DoS attack techniques include:

 HTTP flood DDoS—the attacker uses HTTP requests that appear legitimate to overwhelm an application or web server. This
technique does not require high bandwidth or malformed packets, and typically tries to force a target system to allocate as many
resources as possible for each request.

 SYN flood DDoS—initiating a Transmission Control Protocol (TCP) connection sequence involves sending a SYN request that
the host must respond to with a SYN-ACK that acknowledges the request, and then the requester must respond with an ACK.
Attackers can exploit this sequence, tying up server resources, by sending SYN requests but not responding to the SYN-ACKs
from the host.

 UDP flood DDoS—a remote host is flooded with User Datagram Protocol (UDP) packets sent to random ports. This technique
forces the host to search for applications on the affected ports and respond with “Destination Unreachable” packets, which uses
up the host resources.

 ICMP flood—a barrage of ICMP Echo Request packets overwhelms the target, consuming both inbound and outgoing
bandwidth. The servers may try to respond to each request with an ICMP Echo Reply packet, but cannot keep up with the rate of
requests, so the system slows down.

 NTP amplification—Network Time Protocol (NTP) servers are accessible to the public and can be exploited by an attacker to
send large volumes of UDP traffic to a targeted server. This is considered an amplification attack due to the query-to-response
ratio of 1:20 to 1:200, which allows an attacker to exploit open NTP servers to execute high-volume, high-bandwidth DDoS
attacks.

Injection Attacks

Injection attacks exploit a variety of vulnerabilities to directly insert malicious input into the code of a web application. Successful attacks
may expose sensitive information, execute a DoS attack or compromise the entire system.

Here are some of the main vectors for injection attacks:

 SQL injection—an attacker enters an SQL query into an end user input channel, such as a web form or comment field. A
vulnerable application will send the attacker’s data to the database, and will execute any SQL commands that have been injected
into the query. Most web applications use databases based on Structured Query Language (SQL), making them vulnerable to
SQL injection. A new variant on this attack is NoSQL attacks, targeted against databases that do not use a relational data
structure.

 Code injection—an attacker can inject code into an application if it is vulnerable. The web server executes the malicious code as
if it were part of the application.

 OS command injection—an attacker can exploit a command injection vulnerability to input commands for the operating system
to execute. This allows the attack to exfiltrate OS data or take over the system.

 LDAP injection—an attacker inputs characters to alter Lightweight Directory Access Protocol (LDAP) queries. A system is
vulnerable if it uses unsanitized LDAP queries. These attacks are very severe because LDAP servers may store user accounts and
credentials for an entire organization.

 XML external Entities (XXE) Injection—an attack is carried out using specially-constructed XML documents. This differs
from other attack vectors because it exploits inherent vulnerabilities in legacy XML parsers rather than unvalidated user inputs.
XML documents can be used to traverse paths, execute code remotely and execute server-side request forgery (SSRF).

 Cross-Site Scripting (XSS)—an attacker inputs a string of text containing malicious JavaScript. The target’s browser executes
the code, enabling the attacker to redirect users to a malicious website or steal session cookies to hijack a user’s session. An
application is vulnerable to XSS if it doesn’t sanitize user inputs to remove JavaScript code.
What are the different types of cybersecurity threats?

Keeping up with new technologies, security trends and threat intelligence is a challenging task. It is necessary in order to protect information
and other assets from cyberthreats, which take many forms. Types of cyberthreats include:

 Malware is a form of malicious software in which any file or program can be used to harm a computer user. Different types of
malware include worms, viruses, Trojans and spyware.

 Ransomware is another type of malware that involves an attacker locking the victim's computer system files -- typically through
encryption -- and demanding a payment to decrypt and unlock them.

 Social engineering is an attack that relies on human interaction. It tricks users into breaking security procedures to gain sensitive
information that is typically protected.

 Phishing is a form of social engineering where fraudulent email or text messages that resemble those from reputable or known
sources are sent. Often random attacks, the intent of these messages is to steal sensitive data, such as credit card or login
information.

 Spear phishing is a type of phishing that has an intended target user, organization or business.

 Insider threats are security breaches or losses caused by humans -- for example, employees, contractors or customers. Insider
threats can be malicious or negligent in nature.

 Distributed denial-of-service (DDoS) attacks are those in which multiple systems disrupt the traffic of a targeted system, such
as a server, website or other network resource. By flooding the target with messages, connection requests or packets, the
attackers can slow the system or crash it, preventing legitimate traffic from using it.

 Advanced persistent threats (APTs) are prolonged targeted attacks in which an attacker infiltrates a network and remains
undetected for long periods of time with the aim to steal data.

 Man-in-the-middle (MitM) attacks are eavesdropping attacks that involve an attacker intercepting and relaying messages
between two parties who believe they are communicating with each other.

Other common attacks include botnets, drive-by-download attacks, exploit kits, malvertising, vishing, credential stuffing attacks, cross-site
scripting (XSS) attacks, SQL injection attacks, business email compromise (BEC) and zero-day exploits.
Malware variants vary, from ransomware to worm to virus.

Harmful acts in cyber security

The motive of attackers

 5 Cyber Attack Motives
5 Cyber Attack Motives

1. The Opportunistic Attacker: The main attacker's motivation is money. When the infection takes place, the attacker usually tries
to use the infected computer for monetization using different techniques, such as:
Ransomware - Blocking access to files on the machines by encrypting them until payment is made by the user.
2. Industrial Opportunistic Attackers: These attackers use opportunistic infection methods but they specifically target industrial
companies and once again, the main motivation is money. However, in this case, the attackers know that targeting an industrial
company can result in higher profits and they use this for their benefit. Ransomware is extremely popular in ICS attacks, for
example.
3. Competitors: Intellectual Property (IP) is a key element in the growing industrial world. Innovative methods of production,
solutions, etc. are pieces of data that help companies excel in their field. Data theft via cyber espionage can have a catastrophic
impact on a given company. The rarity of this type of attack is unknown.
Attackers typically aim at two different outcomes:
1. Learning the secret "recipe" for the production of a certain product.
2. Trying to hinder or stop the production of the competitors.
4. Insider Threat: A disgruntled employee or ex-employee can seek revenge against their employer. Sabotage from inside the
company usually means catastrophic outcomes for that company. Since it is an “inside job”, employees who have access to the
company’s network can perform any action an external hacker could if they had elevated privileges and full access. Revenging
employee attacks are impactful but rare. Their primary motivation is emotional - getting revenge, letting out frustration, and so
forth.
5. Advanced Persistent Threats (APT): Advanced Persistent Threats are seen in the industrial world when an organization or
country tries to stop or damage the production process as part of cyberwar. Other motivations can be efforts to block the
technical advancement of a specific country or to send a message to an opponent. The main goal of APTs is psychological
warfare, e.g. Sending a message to opponents. Therefore, the targets are typically high-profile companies and critical
infrastructures. Thus ensuring power grid, defense, and oil and gas cybersecurity is crucial. History has shown that APTs often
do not target small companies, or cause minor damages. Since many of these attacks are complex, state-sponsored, and
customized to their target, their severity tends to be very high.

What is an Active Attack?

Active Attack Definition: An active attack is a type of cyberattack in which a hacker attacks a system and modifies the data or the
information per his requirements to perform malicious tasks.

During active attacks, the attacker takes an active role in an attempt to gain unauthorized access to a system or network. To do that, they can
perform various malicious activities, such as injecting malware, launching a denial-of-service (DoS) attack, or altering data. An active attack
typically aims to gain control over the system or steal data.

When an active attack happens, the victim gets informed about the attack as the data changes or modifies. And, because of the data
modification, these attacks greatly threaten the integrity and availability of data.

Here are some examples of active attacks:

 Phishing: In this attack, the hacker attempts to gain unauthorized access to a computer system to size, modify, or steal data.

 Man-in-the-Middle: In this attack, the hacker catches and transmits communications between two parties who assume they are
talking directly with one another

 Ransomware: In this attack, the hacker uses malware to prevent a user or organization from accessing files on their computer.

What is a Passive Attack?

Passive Attack Definition: A passive attack is a cyberattack in which a hacker attacks a system and copies or reads the contents of the
message or the information available but does not modify the information.

During passive attacks, the attacker monitors and eavesdrops on the network traffic to gain access to confidential or sensitive data. Passive
attacks are extremely hard to identify, as the attacker does not actively take part in the attack. Hence, the victim is uninformed about the
attack as there is no change in the data.

Here are some examples of passive attacks:

 Eavesdropping: In this type of attack, the hacker listens in on other people’s conversations without their knowledge.

 Foot printing: In this type of attack, the hacker gathers as much information as possible regarding a computer system or network
to find ways to penetrate it.

Key Differences Between Active and Passive Attacks

Here are the key differences between active and passive attacks:

 A passive attack does not harm the attacked system, whereas an active attack does.

 An active attack can be easily deducted, whereas a passive attack is difficult to detect.

 In an active attack, the victim is informed that he has been attacked, but that’s not the case in a passive attack.

 An active attack is a danger to the integrity and availability of the data. Whereas a passive attack is a danger to the confidentiality
of the data.

 The purpose behind active attacks is to harm the system or the organization. But, passive attacks aim to learn about the system or
the organization.

 An active attack is a type of attack in which hackers modify the information or the data. In contrast, a passive attack is an attack
in which hackers do not modify the information or the data.

What are the top cybersecurity challenges?

Cybersecurity is continually challenged by hackers, data loss, privacy, risk management and changing cybersecurity strategies. The number
of cyberattacks is not expected to decrease in the near future. Moreover, increased entry points for attacks, such as with the arrival of the
internet of things (IoT), and the growing attack surface increase the need to secure networks and devices.

Major challenges that must be continuously addressed include evolving threats, the data deluge, cybersecurity awareness training, the
workforce shortage and skills gap, and supply chain and third-party risks.

Evolving threats

One of the most problematic elements of cybersecurity is the evolving nature of security risks. As new technologies emerge, and as
technology is used in new or different ways, new attack avenues are developed. Keeping up with these frequent changes and advances in
attacks, as well as updating practices to protect against them, can be challenging. Issues include ensuring all elements of cybersecurity are
continually updated to protect against potential vulnerabilities. This can be especially difficult for smaller organizations without adequate
staff or in-house resources.

Data deluge
Additionally, organizations can gather a lot of potential data on individuals who use one or more of their services. With more data being
collected, the likelihood of a cybercriminal who wants to steal personally identifiable information (PII) is another concern. For example, an
organization that stores PII in the cloud may be subject to a ransomware attack. Organizations should do what they can to prevent a cloud
breach.

Cybersecurity awareness training

Cybersecurity programs should also address end-user education. Employees may accidently bring threats and vulnerabilities into the
workplace on their laptops or mobile devices. Likewise, they may act insecurely -- for example, clicking links or downloading attachments
from phishing emails.

Regular security awareness training will help employees do their part in keeping their company safe from cyberthreats.

Workforce shortage and skills gap

Another challenge to cybersecurity is a shortage of qualified cybersecurity personnel. As the amount of data collected and used by
businesses grows, the need for cybersecurity staff to analyze, manage and respond to incidents also increases. (ISC) 2 estimated the
workplace gap between needed cybersecurity jobs and security professionals at 3.4 million.

Supply chain attacks and third-party risks

Organizations can do their best to maintain security, but if the partners, suppliers and third-party vendors that access their networks don't act
securely, all that effort is for naught. Software- and hardware-based supply chain attacks are becoming increasingly difficult security
challenges to contend with. Organizations must address third-party risk in the supply chain and reduce software supply issues, for example
by using software bills of materials.

How is automation used in cybersecurity?

Automation has become an integral component to keep companies protected from the growing number and sophistication of cyberthreats.
Using artificial intelligence (AI) and machine learning in areas with high-volume data streams can help improve cybersecurity in three main
categories:

 Threat detection. AI platforms can analyze data and recognize known threats, as well as predict novel threats.

 Threat response. AI platforms also create and automatically enact security protections.

 Human augmentation. Security pros are often overloaded with alerts and repetitive tasks. AI can help eliminate alert fatigue by
automatically triaging low-risk alarms and automating big data analysis and other repetitive tasks, freeing humans for more
sophisticated tasks.

Other benefits of automation in cybersecurity include attack classification, malware classification, traffic analysis, compliance analysis
(Compliance analysis means the analysis of a sample that is required by law, or by departmental regulation or order)and more.

Cybersecurity vendors and tools

Vendors in the cybersecurity field typically offer a variety of security products and services. Common security tools and systems include:

 Identity and access management (IAM)

 Firewalls

 Endpoint protection

 Antimalware/antivirus

 Intrusion prevention/detection systems (IPS/IDS)

 Data loss prevention (DLP)

 Endpoint detection and response

 Security information and event management (SIEM)

 Encryption tools

 Vulnerability scanners

 Virtual private networks (VPNs)

 Cloud workload protection platform (CWPP)

 Cloud access security broker (CASB)

Well-known cybersecurity vendors include Check Point, Cisco, Code42, CrowdStrike, FireEye, Fortinet, IBM, Imperva, KnowBe4,
McAfee, Microsoft, Palo Alto Networks, Rapid7, Splunk, Symantec by Broadcom, Trend Micro and Trustwave.

What are the career opportunities in cybersecurity?

As the cyberthreat landscape continues to grow and new threats emerge -- such as IoT threats -- individuals are needed with cybersecurity
awareness and hardware and software skills.

CISO tasks range widely to maintain enterprise cybersecurity.

IT professionals and other computer specialists are needed in security roles, such as:

 Chief information security officer (CISO) is the individual who implements the security program across the organization and
oversees the IT security department's operations.

 Chief security office (CSO) is the executive responsible for the physical and/or cybersecurity of a company.

 Security engineers protect company assets from threats with a focus on quality control within the IT infrastructure.

 Security architects are responsible for planning, analyzing, designing, testing, maintaining and supporting an enterprise's critical
infrastructure.

 Security analysts have several responsibilities that include planning security measures and controls, protecting digital files, and
conducting both internal and external security audits.

 Penetration testers are ethical hackers who test the security of systems, networks and applications, seeking vulnerabilities that
could be exploited by malicious actors.

 Threat hunters are threat analysts who aim to uncover vulnerabilities and attacks and mitigate them before they compromise a
business.

Other cybersecurity careers include security consultants, data protection officer, cloud security architects, security operations manager
(SOC) managers and analysts, security investigators, cryptographers and security administrators.

The Spectrum of Cyber Attack

By understanding the various attacks at each level within the spectrum, leaders and planners at the operational level will be better positioned
to pursue objectives, describe expected end-states, and express various tradeoffs between methods. This will allow for the proper allocations
of time, resources, and effort toward a particular objective.
Level 1: Network Denial

Definition. A cyber attack that prevents a network from communicating with external networks.

Description. The first level of attack is the most simple to conduct, difficult to stop, and thus commonly used. Level 1, Network Denial,
targets only the transmission of information, not the actual information itself. These attacks may affect only a part of the network or the
network in its entirety. They can be accomplished through several different methods, many of which are exceedingly difficult for the victim
to stop. Level 1 attacks primarily differ from other levels in that they affect the target’s ability to interact with other organizations while
internal processes are largely unaffected.

Examples. A simple example of Network Denial is characterized by an attacker that logs into a router at the border of an organization’s
network and stops it from transferring data. This example results in the blocking of all traffic on a network and isolates the target
organization, temporarily preventing it from transmitting any information in or out using computer networks. This type of network isolation
degrades the operations of any organization but only as long as the target is unable to restore proper functionality.

More advanced level 1 attacks require national-level resources or access to central backbones of the internet. These include Border Gateway
Protocol hijacking, Domain Name Server hijacking, and large-scale Distributed Denial of Service, all of which have been used by either
Russia, Iran, or China.5 These attacks take advantage of the fundamental trust that the internet is built on, giving them the added benefit that
there is very little a victim can do to stop them, and they are always at the disposal of a nation.

Tradeoffs. Network Denial attacks are conceptually simple to execute but only provide temporary paralysis of a target’s operations. Fewer
moving pieces at the technical level results in the highest chance for success compared to all other levels and requires far less knowledge
about the target. New targets can be attacked within hours or days and require little preparation. The trade-off, however, is that level 1
attacks draw significant attention and are quick to diagnose. Overall, 94 AIR & SPACE POWER JOURNAL  WINTER 2020
Musielewicz level 1 attacks require less time, less funding, and thus less commitment, yet they are only expected to disable an organization
for hours to days depending on the sophistication of the target’s personnel.

Level 2: Enterprise Denial

Definition. A cyber attack that denies an organization’s users access to their data Description. The next level of cyber attack also disables an
organization, but in a manner that inhibits the daily activities of end-users. The term enterprise is used to describe the systems and
applications users rely on to perform day-to-day tasks. Examples of daily activities affected by level 2 attacks include the ability to log into
computers, send e-mail, and alter documents. Level 2 attacks differ from level 1, Network Denial, in that they specifically disrupt
information that an organization’s users interact with directly.

Examples. The most common example of a level 2 attack is ransom malware, or “ransomware,” currently in vogue with cybercriminals.
Ransomware does not need to know anything about an organization before executing its core objective, to deny users access to their data by
encrypting it. The files that become encrypted are critical to the system users as the malicious software attacks all files, historical records,
activity records, and any others used to carry out daily tasks and company function. This is precisely why it is so devastating for companies
hit by such attacks. The most destructive level 2 attack to date has been the “NotPetya” ransomware that caused an estimated $10 billion in
damages worldwide in 2017. As an example of the financial impact caused by NotPetya, the international shipping company Maersk alone
suffered $300 million in damages and experienced a complete operational shut down for almost a week. This level of disaster is not unique
to Maersk,6 or even NotPetya itself. “WannaCry,” “SamSam,” and “Ryuk” are all well-documented ransomware attacks dating back to 2017
that inflicted millions in financial costs and achieved wide-scale operational impacts across numerous organizations.7 Tradeoffs. Level 2
attacks are likely to cost more financially than any other cyber attack, purely based on the scope and number of systems they affect. Similar
to level 1, level 2 attacks require very little target knowledge, and thus, require less time and monetary investment than other levels.
However, the likelihood of success of level 2 attacks is also less than that of level 1 attacks due to the deeper network access required.
Additionally, the most damaging level 2 attacks to-date only managed to take organizations offline for a few days despite the severe
financial costs, and all operations were restored in a manner of weeks.

Level 3: Enterprise Manipulation

Definition. A cyber attack that manipulates the decision-making of an organization’s users without being detected Description. Enterprise
Manipulation is the first level on the spectrum that tailors more toward affecting the behavior of the adversary than removing their ability to
operate. These attacks target the same computer systems as level 2, Enterprise Denial, attacks but utilize a deeper understanding of the
organization to influence or corrupt, but not deny, common organizational processes. Further, a key objective in executing a level 3 attack is
to do so without the user being aware of the attack. This is the key distinction between level 3 and the first two levels. Level 3 attacks must
be performed in a manner that is not predictable nor widespread throughout the target organization. Enterprise users have been conditioned
over time to be mistrusting of computers and software due to confusing interfaces, technical user manuals, overall complexity, and frequent
data loss. By introducing outside gremlins into the systems, end-users can further lose confidence in their ability to effectively perform
tasks, thereby leading to loss in productivity and organizational effectiveness.

Examples. Although data manipulation has only started to be openly discussed in the past few years,8 it is easy to envision the potential
chaos that can result from such attacks and has captured the imagination of television producers in series such as “Mr. Robot.”9 These
attacks can be as simple as removing key e-mails, locking particular user accounts, or corrupting vital user files. More robust and potentially
far-reaching attacks can be catastrophic, such as manipulating financial or human resource data. According to Forbes, the manipulation of
financial data is already extensively practiced by North Korean hackers. North Korea has stolen a staggering $2 billion in 35 compromises
across 17 nations.10 For example, North Korea drained $498K from the city of Tallahassee by manipulating payroll data.11 These attacks
were designed to obtain funds rather than impose crippling costs on the underlying organizations, yet the devastating impact to the
organizations were the same.

Tradeoffs. Enterprise Manipulation attacks strike at the psyche of an organization with the aim of crippling its effectiveness for a prolonged
period of time. Levels 1 and 2 cause overt disruptions resulting in temporary outages, but level 3 attacks can hinder an organization for an
indefinite period of time. These attacks require a nearly identical preparation time as level 2 but have a much lower chance of success and
less quantifiable results. Level 3 attacks also cost more to execute because they must use more sophisticated tools to remain undetected in
the target network. Level 3 attacks will not likely impose costs similar to the other levels, but they allow attackers to remain within the
network undetected while eroding the productivity of an organization. Level 3 attacks also provide the ability to engage a target without the
increased risks of retaliation or escalation because of their inherent stealth and plausible deniability. As long as level 3 attacks remain
hidden, they allow the perpetrator to develop level 4 and level 5 attacks, all while the target simultaneously suffers negative impacts on
efficiency and productivity.

Level 4: Mission Denial

Definition. A cyber attack that specifically prevents the operation of processes or systems critical to an organization’s mission Description.
The final two levels of the Spectrum of Cyber Attack focus solely on the chain of systems and processes that are essential to an organization
carrying out its core mission. This focus may be the destruction of mission-critical data or even—in very specific scenarios—the physical
destruction of hardware through industrial control system manipulation. The precision of these attacks is what specifically distinguishes
level 4, Mission Denial, from level 2, Enterprise Denial.

Example. The 2015 Russian attack on the Ukraine power grid is a prime example of a level 4 cyber attack. During this attack, Russia gained
critical access to three primary Ukrainian power companies undetected. Once inside the networks, the malicious actors immediately targeted
the systems used by internal operators to control the generation of power. The actors surveilled the system operators long enough to learn
which interfaces were used to control the power generators. Once known, the attackers systematically shut the generators down and disabled
remote access to the controlling computers. By preventing the power generator operators from remotely bringing the systems back online,
technicians were required to physically travel and manually restart each generator, a process that took six hours to complete. What makes
this example a level 4 attack instead of a level 2 is that the actors were specifically targeting those systems that were essential to the
organization executing its core mission—generating power. If these same actions were conducted against systems not vital to this mission,
they would be classified as a level 2 attack.

Tradeoffs. From an attacker’s perspective, level 4 attacks are much more predictable than level 2 because of their precise nature. These
attacks are far more likely to create the specific effect desired. Reducing the scope of an attack and executing with precision allows the
attacker to tailor to specific strategic objectives and execute with a higher level of certainty. In contrast, level 2, Enterprise Denial, has the
potential to prevent an organization from accomplishing its pri- mary mission, but only as a byproduct of the primary attack. It is easier for a
victim to restore mission-critical functions following a level 2 attack because of the universal aspect of level 2 attacks versus the subtlety
required for level 4. Level 2 attacks are far more common and less sophisticated, making them more likely to be anticipated and mitigated
by network defenders. Level 4 attacks require notably longer time commitments than levels 1, 2, and 3. This is due to the in-depth
understanding required to learn the specifics of how an organization conducts its mission and the time required to maneuver to those
systems that enable that mission. These longer time commitments naturally cause the overall cost of operations to go up. The longer an actor
must remain in a network, the more sophisticated their tools must be to stay undetected. Once a level 4 attack is executed, it will quickly be
discovered by network defenders and the remedy will likely be straightforward. The effective downtime of the organization relies heavily on
the extent of any physical damage and is further influenced by the scarcity of any specialized hardware required.

Level 5: Mission Manipulation

Definition. A cyber attack that specifically manipulates the systems or processes critical to an organization’s mission without being
detected Description. Mission Manipulation is the most sophisticated and strategically complex cyber attack within the spectrum. Mission
Manipulation allows for the repeated, sustained disruption of the fundamental mission of an organization. Level 5 attacks are identical to
level 4 except for the critical fact that they are executed without being detected. This is a small distinction but is exceptionally difficult to
achieve.

Example. The destruction of mission-critical systems and the manipulation required to hide those actions has only been demonstrated by
one publicly disclosed cyber attack to date: Stuxnet. Extensively documented, Stuxnet is known for the physical destruction it inflicted on
Iranian centrifuges from April 2009– June 2010.14 Yet, the true brilliance of Stuxnet was its skillful deception of the end-users of these
systems. Stuxnet systematically destroyed these mission-critical centrifuges while at the same time manipulating the monitoring components
to tell the engineers they were functioning properly. Because of the criticality of these centrifuges, the paired destruction and deception of
Stuxnet disrupted the organization’s ability to perform its primary mission and set back Iran’s nuclear program a minimum of two years.15
The attack exacerbated financial burdens and according to a report by the Center for Security Studies, “likely culminated in an overall
feeling of insecurity throughout Iranian society.”16 Even after the discovery of Stuxnet, Iran was not able to fully trust their systems—not
knowing whether a failure was generated by human error or the actions of malicious code lurking in their systems.

Tradeoffs. Level 5 attacks require substantially more resources than any other level, both in time and human capital. Mission Manipulation
is expected to require a combination of customized tools, in-depth knowledge, sophisticated cyber expertise, specialized engineering
knowledge, and significant amounts of time. It requires time to gain network access, time to harvest information, time to develop tools, time
to maneuver within the network, and time to execute. It was speculated that Stuxnet required the combined efforts of Israel and the United
States17—two of the most technologically sophisticated nations in the world—a minimum of three years of preparation, a year of
continuous execution, and an estimated $100 million dollars.18 The target knowledge, commitment, and technical expertise required to
execute attacks at level 5 demands real-time development as the exact configurations and nuances of mission systems are almost impossible
to know before accessing them. The skills and tools for such specialized or indigenous mission systems may be extremely hard to find, or
may not exist, requiring them to be built from the ground up. In spite of these heavy constraints, a level 5 attack has the ability to cause
massive high-level impacts that rival the sophistication of any operation in the other warfare domains. It can single-handedly achieve
strategic objectives through nonkinetic means, and importantly, allow for plausible deniability that reduces the risk of retaliation and conflict
escalation. As seen in the Stuxnet example, the culmination of such high levels of investment can produce powerful effects that last for
years.

Security Models

Concept of security models

The security models are specifically defining the relationship of operating system performance with the information security models. The
effective and efficient security models secure the sensitive and relevant information or data of the organizations. The security policy is
verified by using the information security models. They deliver a precise set of directions to the computer to follow the implementation of
vital security processes, procedures, and concepts contained in a security program. They define the security concern in information threads.

Security models are used to evaluate and authenticate the security policy to map the intellectual property of the information system. They
are used to represent the mathematical and analytical ideas that are developed by programmers. These ideas are mapped with the system
specifications through programming code.

These ideas maintain the goal of CIA property that is confidentiality, integrity, and availability. The CIA properties are elaborated in detail.

Confidentiality

Confidentiality refers to protecting the data from unauthorized access. Only legitimate users can access sensitive information. The main goal
of confidentiality is to stop information from getting into the wrong hands. There are many ways to secure data confidentiality such as use of
strong passwords, authentication, data encryption, segregation of data and so forth. Some common threats that exist are against the rules of
confidentiality.

 Encryption cracking.
 Eavesdropping attack.
 Malicious insiders.
 Man-in-the-middle attack.

Integrity

Integrity is used to validate the information. It checks whether the information present is in correct format or not. It also validates
information that is true and correct to its original purposes. Integrity ensures that the receiver's information is the same as the creator's
information. The information can be edited only by the legal person to prevent unwanted modification. There are no rights provided to
anyone to change or modify the data. In some cases, electromagnetic pulse (EMP) or server crashes are responsible to break the integrity.

So, integrity ensures the accuracy, trustworthiness, and validity of data throughout its life cycle. It holds value if it is truthful. There must be
mechanisms to restore data in case of unintended changes. Some challenges that could affect the integrity of information are

 Physical compromise to device.

 Human error.

Data encryption and hashing are the mechanisms that are used to preserve integrity.

Availability

This implies that the network should be accessible to its users at all times. This holds true for both systems and data. To ensure network
availability, network administrators should maintain hardware, perform regular upgrades, have a fail-over plan, and avoid bottlenecks.
Attacks such as DoS or DDoS can make a network unusable as the network's resources are depleted. Companies and users who rely on the
network as a business tool may suffer from a substantial impact. As a result, sufficient precautions should be taken to avoid such attacks.

Threat to information availability occurs due to many reasons such as:

 Malicious Code.
 Insufficient bandwidth.
 DDOS (Distributed Denial of Service attack).

There are three main types of classic security models namely

1. Bell-LaPadula model
 2. Biba model
3. Clarke Wilson Security model

Bell-LaPadula model

This model was invented by David Elliot Bell and Leonard.J. LaPadula and therefore, this model is known as Bell-LaPadula. This model
is used to ensure the confidentiality of information. It defines the functions of a multilevel security system. It is the first mathematical model
that prevents secret information from being accessed in an unauthorized manner.

Bell-LaPadula model

In this picture, the user and the files are arranged in a non-discretionary manner concerning different layers of secrecy.

It follows three types of basic rules-

 Simple confidentiality rule

 Star confidentiality rule
 Strong star confidentiality rule

Simple confidentiality rule

This rule is called the NO READ-UP rule because it states that only the user can read the files that are on the same layer and lower layer of
secrecy but cannot read the files on the upper layer of secrecy.

Star confidentiality rule

This rule is called the NO WRITE-DOWN rule because it states that the user can write the files on the same layer of secrecy and upper layer
of secrecy but cannot read the files on the lower layer of secrecy.

Strong star confidentiality rule

This rule is called NO READ WRITE UP DOWN because the user can only read and write the files on the same layer of secrecy but cannot
read and write the files on the upper layer of secrecy and the lower layer of secrecy. This is the highly secured and strongest rule in Bell-
LaPadula.

Biba model

The Biba model was named so after its inventor Kenneth.J. Biba. This model is used to ensure the integrity of information.
It follows 3 rules:

 Simple integrity rules

 Star integrity rules
 Strong star integrity rule

Simple integrity rules

This rule is called the NO READ-DOWN rule because the user can read the files only on the same layer of secrecy and upper layer of
secrecy but cannot read the files on the lower layer of secrecy.

Star integrity rule

This rule is called the NO WRITE-UP rule because users can read the files only on the same and lower layer of secrecy but cannot read the
files on the upper layer of secrecy.

Strong star integrity rule

This rule is called the NO READ-WRITE UP DOWN rule because the user can read and write the files on the same layer of secrecy only
but cannot read and write the files on the upper or lower layer of secrecy. This rule is highly secured and is the strongest rule in Bell-
LaPaulda.

Clarke Wilson Security Model

This model provides the highest security to the security model. It has the following entities:

Clarke Wilson Security Model

Subject

It is the user who requests the data items.

Constrained data items

Users cannot access constrained data items directly. It is accessed according to the Clarke Wilson Security Model.

Unconstrained data item

Users can access it directly.

The constrained data can be accessed by following processes:

1. Transformation process

The user can request constrained data items that are handled by the transformation process. The process converts it into permission and then
forwards it to the integration verification process.

2. Integration verification process

It performs authorization and authentication. If this verification is successful, then the user is given access to the constrained data items.

Common Mistakes

There is a mistake in understanding the terms confidentiality and integrity. In simple language, confidentiality defines that the information
should not go to the wrong hands. Integrity shows data validity. This means that only an authorized and legal person can access the
authorized content or information.

What is Cybersecurity Risk Management?

Cybersecurity risk management is the process of identifying an organization's digital assets, reviewing existing security measures, and
implementing solutions to either continue what works or to mitigate security risks that may pose threats to a business. This type of on-
going vulnerability risk management (VRM) is crucial as the organization and the external threat landscape evolves.

VRM is an on-going part of all business operations. New exploits are discovered, followed by patches released to fix them. New potentially
vulnerable devices that increase the attack surface are frequently added to the network. This is especially true with the significant growth of
Internet of Things (IoT) devices and sensors that are being placed in many physical locations.

Cybersecurity Risk Management Strategy

A cybersecurity risk management strategy implements four quadrants that deliver comprehensive and continuous Digital Risk Protection
(DRP). DRP platforms use multiple reconnaissance methods to find, track, and analyze threats in real time.

Using both indicators of compromise (IOCs)( Indicators of compromise (IOCs) are pieces of contextual information discovered in forensic
analysis that serve to alert analysts of past/ongoing attacks, network breaches, or malware infections. These unique clues – or artifacts – are
often seen as maliciously used IP addresses, URLs, domains, or hashes.) and indicators of attack (IOAs) intelligence, a DRP solution can
analyze risks and warn of attacks. Let's take a look at the four quadrants:

Map - Discover and map all digital assets to quantify the attack surface. Use the map as a foundation to monitor cybercriminal activity.

Monitor - Search the public and dark web for threat references to your digital assets. Translate found threats to actionable intelligence.

Mitigate - Automated actions to block and remove identified threats to digital assets. Includes integration with other security initiatives in
place.

Manage - Manage the process used in Map, Manage, and Mitigate quadrants. Enriching IOCs and prioritizing vulnerabilities in this step is
also essential to successful digital risk protection.

What are the Benefits of Cybersecurity Risk Management?

Implementing cybersecurity risk management ensures cybersecurity is not relegated to an afterthought in the daily operations of an
organization. Having a cybersecurity risk management strategy in place also ensures that procedures and policies are followed at set
intervals, and that security is kept up to date.

Cybersecurity Risk Management provides ongoing monitoring, identification, and mitigation of the following threats:

 Phishing Detection
  VIP and Executive Protection

 Brand Protection

 Fraud Protection

 Sensitive Data Leakage Monitoring

 Dark Web Activity

 Automated Threat Mitigation

 Leaked Credentials Monitoring

 Malicious Mobile App Identification

 Supply Chain Risks

Why is Cybersecurity Risk Management Important?

Cybersecurity risk management is also important because it helps to bring about situational awareness within a security organization.
Simply put, analysts don't know what they don't know. Awareness is the ability to look at all the information available, recognize what's
important, and act accordingly.

It's essential to have a clear understanding of the risks in your organization and those that might arise in the future. You can assess
awareness according to three distinct levels:

 Situational awareness: An organization understands the critical - people, data, and process - and operational elements for
executing information-security strategy.

 Situational ignorance: Organizations assume everything is OK without considering the impact of people, data, and processes.
They may be implementing security controls and awareness training, but there is no straightforward process or strategy that
aligns to risk reduction and mitigation. In this scenario, budgets continue to creep ever upward.

 Situational arrogance: Organizations continue to spend big, while being routinely compromised and breached. In fact, they may
actually take into account people, data, and process, but they fail to act because of other budgetary priorities. In this scenario, it
may only be a matter of time before a business' reputation is severely damaged due to continuous inability to defend against
attacks.

Cybersecurity risk management is the overarching umbrella under which specific kinds of security risk mitigations fall. Implementing a
strategy to assess, identify, mitigate, and remediate vulnerability and risk is critical to every security organization operating on any level in
any sector.

Cyber Threats-Cyber Warfare, Cyber Crime, Cyber terrorism, Cyber Espionage

What Is Cyber Warfare?

Cyber warfare is usually defined as a cyber-cyber or series of attacks that target a country. It has the potential to wreak havoc on government
and civilian infrastructure and disrupt critical systems, resulting in damage to the state and even loss of life.

7 Types of Cyber Warfare Attacks

Here are some of the main types of cyber warfare attacks.

Espionage

Refers to monitoring other countries to steal secrets. In cyber warfare, this can involve using botnets or spear phishing attacks to
compromise sensitive computer systems before infiltrating sensitive information.

Sabotage

Government organizations must determine sensitive information and the risks if it is compromised. Hostile governments or terrorists may
steal information, destroy it, or leverage insider threats such as dissatisfied or careless employees, or government employees with affiliation
to the attacking country.

Denial-of-service (DoS) Attacks

DoS attacks prevent legitimate users from accessing a website by flooding it with fake requests and forcing the website to handle these
requests. This type of attack can be used to disrupt critical operations and systems and block access to sensitive websites by civilians,
military and security personnel, or research bodies.

Electrical Power Grid

Attacking the power grid allows attackers to disable critical systems, disrupt infrastructure, and potentially result in bodily harm. Attacks on
the power grid can also disrupt communications and render services such as text messages and communications unusable.

Propaganda Attacks

Attempts to control the minds and thoughts of people living in or fighting for a target country. Propaganda can be used to expose
embarrassing truths, spread lies to make people lose trust in their country, or side with their enemies.

Economic Disruption

Most modern economic systems operate using computers. Attackers can target computer networks of economic establishments such as stock
markets, payment systems, and banks to steal money or block people from accessing the funds they need.

Surprise Attacks

These are the cyber equivalent of attacks like Pearl Harbor and 9/11. The point is to carry out a massive attack that the enemy isn’t
expecting, enabling the attacker to weaken their defenses. This can be done to prepare the ground for a physical attack in the context of
hybrid warfare.

Examples of Cyber Warfare Operations

Here are several well-publicized examples of cyber warfare in recent times.

Stuxnet Virus

Stuxnet was a worm that attacked the Iranian nuclear program. It is among the most sophisticated cyber attacks in history.
The malware spread via infected Universal Serial Bus devices and targeted data acquisition and supervisory control systems. According to
most reports, the attack seriously damaged Iran’s ability to manufacture nuclear weapons.

Sony Pictures Hack

An attack on Sony Pictures followed the release of the film “The Interview”, which presented a negative portrayal of Kim Jong Un. The
attack is attributed to North Korean government hackers. The FBI found similarities to previous malware attacks by North Koreans,
including code, encryption algorithms, and data deletion mechanisms.

Bronze Soldier

In 2007, Estonia relocated a statue associated with the Soviet Union, the Bronze Soldier, from the center of its capital Tallinn to a military
cemetery near the city. Estonia suffered a number of significant cyber attacks in the following months. Estonian government websites,
media outlets, and banks were overloaded with traffic in massive denial of service (DoS) attacks and consequently were taken offline.

Fancy Bear

CrowdStrike claims that the Russian organized cybercrime group Fancy Bear targeted Ukrainian rocket forces and artillery between 2014
and 2016. The malware was spread via an infected Android application used by the D-30 Howitzer artillery unit to manage targeting data.

Ukrainian officers made wide use of the app, which contained the X-Agent spyware. This is considered to be a highly successful attack,
resulting in the destruction of over 80% of Ukraine’s D-30 Howitzers.

Enemies of Qatar

Elliott Broidy, an American Republican fundraiser, sued the government of Qatar in 2018, accusing it of stealing and leaking his emails in
an attempt to discredit him. The Qataris allegedly saw him as an obstacle to improving their standing in Washington.

According to the lawsuit, the brother of the Qatari Emir was alleged to have orchestrated a cyber warfare campaign, along with others in
Qatari leadership. 1,200 people were targeted by the same attackers, with many of these being known “enemies of Qatar”, including senior
officials from Egypt, Saudi Arabia, the United Arab Emirates, and Bahrain.

Conducting Risk Assessments with Cyber Wargames

The best way to assess a nation’s readiness for cyber warfare is to conduct a real-life exercise or simulation, also known as a cyber
wargame.

A wargame can test how governments and private organizations respond to a cyber warfare scenario, expose gaps in defenses, and improve
cooperation between entities. Most importantly, a wargame can help defenders learn how to act quickly to protect critical infrastructure and
save lives.

Cyber wargames can help cities, states, or countries improve readiness for cyber warfare by:

 Testing different situations – such as detecting attacks in early stages, or mitigating risks after critical infrastructure has already
been compromised.

 Testing unusual scenarios – attacks are never conducted “by the book”. By establishing a red team that acts as the attackers and
tries to find creative ways to breach a target system, the defenders can learn how to mitigate real threats.
 Division of labor and cooperation mechanisms – cyber warfare requires many individuals from different organizations and
government units to collaborate. A cyber wargame can bring together those people, who may not know each other, and help them
decide how to work together in the event of a crisis.

 Improving policies – governments may establish cyber warfare policies, but need to test them in practice. A cyber wargame can
test the effectiveness of policies and provide an opportunity for improving them.